Trustwave Application Penetration Test Digitaltransactions-080815
Trustwave Application Penetration Test Digitaltransactions-080815
Trustwave Application Penetration Test Digitaltransactions-080815
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Boland Hills<br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong> Report<br />
Digital Transactions<br />
August 15, 2008<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
This document is the property of Boland Hills; it contains information that is proprietary,<br />
confidential, or otherwise restricted from disclosure. If you are not an authorized recipient, please<br />
return this document to the above-named owner. Dissemination, distribution, copying or use of this<br />
document in whole or in part by anyone other than the intended recipient is strictly prohibited<br />
without prior written permission of <strong>Trustwave</strong> and Boland Hills.
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Report Author<br />
Customer<br />
<strong>Application</strong><br />
Project<br />
Document Control<br />
Jon Rose<br />
Security Consultant<br />
<strong>Trustwave</strong><br />
Boland Hills<br />
Digital Transactions<br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Draft Version 0.1 08/15/2008 Jon Rose<br />
QA Review 0.5 08/22/2008 <strong>Trustwave</strong> QA<br />
Final Version 1.0 08/24/2008 Jon Rose<br />
- 2 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Table of Contents<br />
1 EXECUTIVE SUMMARY............................................................................................ 4 <br />
1.1 Scope ................................................................................................................... 4 <br />
1.2 Results ................................................................................................................. 4 <br />
1.3 Recommendations ................................................................................................. 5 <br />
2 NETWORK RECONNAISSANCE................................................................................ 6 <br />
2.1 Port Scanning........................................................................................................ 6 <br />
2.2 Banner Scanning ................................................................................................... 6 <br />
2.3 Remote OS Detection via TCP/IP Stack Fingerprinting .............................................. 6 <br />
2.4 Reconnaissance Results ......................................................................................... 6 <br />
3 APPLICATION PENETRATION TESTING METHODOLOGY ....................................... 8 <br />
3.1 Information Gathering ..........................................................................................10 <br />
3.2 <strong>Application</strong> Investigation .......................................................................................10 <br />
3.2.1 Site Overview ............................................................................................10 <br />
3.2.2 Data Handling and Request Processing........................................................10 <br />
3.3 Issue Identification And System Exploitation...........................................................12 <br />
3.4 Compromise.........................................................................................................12 <br />
3.5 Data Extraction ....................................................................................................12 <br />
3.6 Further Compromise .............................................................................................12 <br />
4 RISK LEVELS......................................................................................................... 13 <br />
5 DISCOVERED VULNERABILITIES ......................................................................... 15 <br />
6 CONCLUSION........................................................................................................ 26 <br />
List of Tables<br />
Table 1 – Information Provided ............................................................................................ 4 <br />
Table 2 – Recommendation Summary................................................................................... 5 <br />
Table 3 - Supporting <strong>Application</strong> Infrastructure ..................................................................... 7 <br />
Table 4 - <strong>Application</strong> Attack Classes.................................................................................... 11 <br />
Table 5 - Risk Rankings ..................................................................................................... 14 <br />
- 3 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
1 Executive Summary<br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Boland Hills (Boland Hills) engaged the SpiderLabs division of <strong>Trustwave</strong> (<strong>Trustwave</strong>) to<br />
perform an application penetration test of the Digital Transactions application. The primary<br />
objective of this security test was to gauge the resiliency of the Digital Transactions application<br />
to various attacks launched against both authenticated and unauthenticated surfaces.<br />
1.1 Scope<br />
Before the penetration exercise began, Boland Hills provided the <strong>Trustwave</strong> team with the<br />
following information:<br />
IP Addresses and Domain Names: digitaltransactions.net: 69.67.208.190<br />
Exempt Architecture or<br />
<strong>Application</strong> Components:<br />
<strong>Test</strong> IDs Used:<br />
No architecture or application components were exempt from testing.<br />
No user accounts were supplied for testing.<br />
Table 1 – Information Provided<br />
1.2 Results<br />
After careful review of the systems and access levels included in this test, <strong>Trustwave</strong> feels that<br />
Boland Hills needs to take additional measures in order to protect itself from compromise.<br />
Vulnerabilities were found related to improper input sanitization that may enable a more<br />
complex attack, for example, Cross-Site Scripting and SQL Injection. The most severe of these<br />
vulnerabilities, SQL Injection, was immediately fixed by the Digital Transactions team and<br />
verified closed by <strong>Trustwave</strong> during testing. By implementing best practices and the<br />
recommendations in this report, Boland Hills can strengthen the security of Digital Transactions<br />
and prevent additional vulnerabilities that were identified.<br />
Vulnerability (Risk)<br />
SQL Injection (High)<br />
Email Denial of Service (Medium)<br />
Missing Security Patches (Medium)<br />
Multiple Cross-Site Scripting<br />
Recommendation Summary<br />
Sanitize user-supplied input against a white-list of good characters<br />
and redesign the application to use cfstoredproc or cfqueryparam<br />
elements when querying databases.<br />
Consider building an administrative orders page that allows a Digital<br />
Transactions employee to review submitted orders online instead of<br />
having automatic emails created.<br />
Review and install all recent ColdFusion security patches. Register<br />
with the Adobe Security Notification system to be informed of the<br />
latest updates for ColdFusion.<br />
Implement best practices for user-input sanitization across all<br />
- 4 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Vulnerabilities (Medium)<br />
FTP Enabled (Low)<br />
Missing Custom Error Page (Low)<br />
application source code.<br />
Replace FTP with a more secure file transfer mechanism such as SCP<br />
or SFTP.<br />
Configure error handling pages through the ColdFusion Administrator<br />
Server Settings page.<br />
Table 2 – Recommendation Summary<br />
Boland Hills’s efforts, as evidenced by this test, show a strong basis for a comprehensive<br />
information security program; Boland Hills should continue a multi-year program of periodic<br />
assessments and reviews addressing both technical and policy issues as part of an ongoing<br />
information security program.<br />
1.3 Recommendations<br />
<strong>Trustwave</strong> has documented recommendations for the remediation of specific vulnerabilities in<br />
the appropriate sections of this report. However, based on our cumulative years of experience,<br />
industry best practices, and observations documented during testing, we suggest the following<br />
actions that Boland Hills could take to further improve their overall security posture:<br />
• Perform an analysis of the issues documented in this report and devise and implement<br />
remediation strategies for identified issues.<br />
• Execute an internal strategy for periodic development security best practices training for<br />
all developers.<br />
• Continue to perform periodic security assessments of the application source code, server<br />
security posture, and network architecture to ensure compliance with the corporate<br />
security policies and procedures.<br />
<strong>Trustwave</strong> is available to help you with any of these issues.<br />
- 5 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
2 Network Reconnaissance<br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
This phase of the testing focuses on gathering as much information about the target application<br />
infrastructure as possible. This report section details how we obtain information from<br />
interrogation probes directed at the target, and presents the combined results of research. Port<br />
scans attempt to determine what services the target is offering. TCP/IP fingerprinting is used to<br />
determine operating system type and version. Banner scanning is used to discover software<br />
types and version.<br />
2.1 Port Scanning<br />
Port scanning is a highly effective technique used to determine what services a target system is<br />
offering. There is a wide range of methods ranging from obvious to nearly invisible. <strong>Trustwave</strong><br />
employs SYN scanning, a method of scanning where TCP packets with the SYN flag set are sent<br />
requesting a connection. If a TCP packet with the SYN and ACK flags set is received from the<br />
target, indicating that the connection was accepted, a packet with the RST flag is sent to tear<br />
down the connection.<br />
2.2 Banner Scanning<br />
Banner scanning is a technique for determining the type and version of a particular network<br />
service. The testing team connects to an open port and parses any information that is returned.<br />
This information is then used to search for exploits for that specific service and version.<br />
2.3 Remote OS Detection via TCP/IP Stack Fingerprinting<br />
<strong>Trustwave</strong> utilizes OS fingerprinting in an attempt to discover the exact type and version of the<br />
operating system to provide additional insight into potential vulnerabilities. It should be noted<br />
that OS fingerprinting is most effective when at least one port on the target host is open, and at<br />
least one port is verifiably closed. If some piece of network hardware blocks all non-open ports,<br />
it significantly reduces the accuracy of the remote OS guess.<br />
2.4 Reconnaissance Results<br />
The test team conducted reconnaissance against the services discovered, and/or listed in Table<br />
1. The following table represents the core application infrastructure components:<br />
- 6 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
IP Address<br />
Domain Names<br />
Operating<br />
System<br />
<strong>Application</strong>s<br />
Open<br />
Ports<br />
Notes<br />
69.67.208.190 digitaltransactions.net<br />
Microsoft<br />
Windows Server<br />
2003 SP1<br />
<strong>Digitaltransactions</strong><br />
21/TCP,<br />
80/TCP,<br />
443/TCP<br />
IIS v6.0<br />
Table 3 - Supporting <strong>Application</strong> Infrastructure<br />
- 7 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
3 <strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong>ing Methodology<br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
<strong>Trustwave</strong>'s primary goal in conducting the penetration test was to circumvent application<br />
security controls and gain access to the systems and protected data an unauthenticated or<br />
unauthorized user should not be able to obtain. The attack simulation was structured to enable<br />
Boland Hills to accurately understand their current controls and how they could be<br />
circumvented during an actual attack. No attempts were made to disguise the simulated attack;<br />
it should be noted that actual attacks might not be as obvious to system and application<br />
administrators.<br />
The manner in which the testing was performed encompassed several distinct phases. The<br />
following phases applied to both the public and the protected sections of the Digital<br />
Transactions application.<br />
To visually depict our methodology for penetration testing, we have provided a process flow<br />
diagram. This diagram is shown on the next page, followed by a narrative of each step.<br />
- 8 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
- 9 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
3.1 Information Gathering<br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Before performing active testing, <strong>Trustwave</strong> gathered information about the manner in which<br />
the various elements of the application operate. Manual investigation and automated tools were<br />
used to traverse the entire application in order to document all distinct inputs and processes.<br />
<strong>Trustwave</strong> used automated tools to make a local copy of the Digital Transactions webpages and<br />
investigated them in detail.<br />
Working with local copies of the HTML, the <strong>Trustwave</strong> team mapped the application’s attack<br />
surface by determining how various application elements are called as well as the parameters<br />
and data types passed to the application elements. All HTTP queries that accepted clientsupplied<br />
data were deemed a distinct element of the application. The application was then<br />
investigated online to better understand how elements worked together and to discover any<br />
elements that may have been missed during the HTML review.<br />
3.2 <strong>Application</strong> Investigation<br />
After gaining a basic understanding of the application environment, <strong>Trustwave</strong> manually probed<br />
the various application elements identified, as described within the Information Gathering<br />
section of this methodology. <strong>Test</strong> data for each parameter was supplied and traced throughout<br />
the application. Data flows and application-interdependencies were discovered. Client-side<br />
scripting was traced manually.<br />
3.2.1 Site Overview<br />
The Digital Transactions application is a ColdFusion application that does not require<br />
authentication. The site consists of online articles for “Digital Transactions” magazine related<br />
information technology and it’s effect on business and consumers. The site also provides<br />
research documents on consumer electronic transactions in PDF format as a product. The<br />
application itself is Internet-accessible.<br />
3.2.2 Data Handling and Request Processing<br />
The <strong>Trustwave</strong> team reviewed the application for generic vulnerabilities which occur in a wide<br />
variety of applications. These issues are generally due to incorrect or unsafe handling of clientsupplied<br />
data. To that end, attempts were made to disrupt the process-flow and induce the<br />
application to behave in unexpected, anomalous, or dangerous ways by supplying specific and<br />
hazardous data. This includes data containing characters that could either redirect program flow<br />
or force errors.<br />
The majority of web-based application vulnerabilities fall into the general category of “improper<br />
meta-character handling”. This category includes such issues as SQL Injection, Shell-Escape<br />
Command Execution and Cross-Site Scripting (XSS). The essential issue underlying all metacharacter<br />
vulnerabilities is a failure on the applications part to correctly filter and interpret<br />
- 10 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
unexpected characters. These characters are sometimes referred to as “special” characters.<br />
Different shells, applications, command processors and languages respond in different but<br />
predictable ways to specific combinations of characters. If an application does not properly<br />
sanitize client input, a malicious user may, among other actions, be able to access or modify<br />
protected or privileged data, execute arbitrary code on a server, or induce a legitimate user to<br />
execute code on the attacker’s behalf.<br />
In testing for meta-character sanitization, <strong>Trustwave</strong> supplied data with specific characters and<br />
interpreted server responses. Meta-characters that have meaning to a wide variety of<br />
applications were tested; some of these characters are likely benign in the Boland Hills<br />
application infrastructure. Since application infrastructure changes cannot be accurately<br />
predicted, <strong>Trustwave</strong> feels that the best approach is to protect against all meta-characters, not<br />
just those known to the current environment.<br />
An analysis of each category can be found below.<br />
Session Management<br />
(Analysis of session state, cookies,<br />
session theft)<br />
Input Validation<br />
(This attack tree is predicated on<br />
poor application input validation)<br />
Parameter Tampering<br />
(These attacks deal primarily with<br />
data theft, and escalation of<br />
privileges - there is overlap with<br />
Input Validation attacks)<br />
Programmatic Errors<br />
(These attacks are launched against<br />
the application engine and<br />
application server themselves. They<br />
deal with “universal” weaknesses in<br />
the architecture that manifest<br />
themselves in the application flow.)<br />
Cookie Predictability, Cookie Manipulation, Cookie Analysis,<br />
Session Theft, Session Fixation, Session Trapping, Ability to Sniff<br />
<strong>Application</strong> Traffic, Potential for Man in the Middle, Potential for<br />
phishing, Eavesdropping, Cross-Site Request Forgery, and others.<br />
Cross-Site Scripting (XSS), Alternate XSS Syntax, Blind SQL<br />
Injection, Blind XPath Injection, Command Injection, Handling of<br />
Meta-Characters, HTTP Response Splitting, <strong>Application</strong> Interpreter<br />
Injection, SQL Injection, Server-Side Includes (SSI) Injection,<br />
Encoding Types Supported, and others.<br />
Type Conversion Errors, Argument Injection or Modification,<br />
Code/Command Injection, <strong>Application</strong> Common Elements, Direct<br />
Dynamic Code Evaluation, HTTP Request Smuggling, HTTP<br />
Response Splitting, XML Injection, and others.<br />
Directory/Path Traversal, Attacks Against <strong>Application</strong> Error Pages,<br />
Buffer Overflows, Format String, Forceful Browsing, Integer<br />
Overflows/Underflows, Log Forging, and others.<br />
Table 4 - <strong>Application</strong> Attack Classes<br />
- 11 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
3.3 Issue Identification And System Exploitation<br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Identified vulnerabilities were combined with knowledge of attack logic to leverage system<br />
exploits. The testing team then used information gathered in the reconnaissance phase to<br />
identify possible vulnerabilities and devise an attack strategy. Specific attacks were crafted for<br />
the application or network to exploit a vulnerability. The test team kept careful notes of controls<br />
in place that would inhibit the successful exploitation of an application or system. To minimize<br />
any potential negative impact, exploitation was only attempted when it would not adversely<br />
effect production applications and systems, and then only to confirm the presence of a specific<br />
vulnerability. Any exploitation with the potential to cause unwanted system downtime or<br />
seriously impact business continuity was carefully coordinated with Boland Hills.<br />
3.4 Compromise<br />
If application elements were compromised, the client’s key security contacts were notified<br />
immediately. The client contacts were given the opportunity to decide if the particular<br />
application should undergo additional tests. If they decided to have <strong>Trustwave</strong> continue,<br />
additional techniques were used to further penetrate the target application and supporting<br />
environment. The client’s key security personnel immediately notified once successful<br />
exploitation allowed <strong>Trustwave</strong> to compromise client data.<br />
3.5 Data Extraction<br />
If confidential application data or files were compromised a sample was downloaded and<br />
securely stored by <strong>Trustwave</strong> until the presentation of the deliverable. When practical, sensitive<br />
data has been masked in this report as an additional measure to protect client confidentiality.<br />
3.6 Further Compromise<br />
Once a portion of an application has been compromised, there are many trust relationships that<br />
may be exploited. Additionally, data exposed through a compromise may lead to the<br />
compromise of additional portions of an application. <strong>Trustwave</strong> used this information to launch<br />
a new stage of discovery against the application.<br />
- 12 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
4 Risk Levels<br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
The following levels categorize the risk of issues presented in this report.<br />
Risk Level<br />
Critical<br />
High<br />
Medium<br />
Low<br />
Definition<br />
The attack scenario tested in this exercise succeeded, and resulted in a systems<br />
compromise<br />
Exploitation impacts production systems without requiring valid authentication<br />
Exploitation is trivial<br />
Successful exploitation results in a large-scale loss of customer or cardholder information —<br />
no controls to prevent the exploit are present or controls to prevent the vulnerability from<br />
being exploited are ineffective<br />
A strong need for immediate corrective measures exists<br />
The attack scenario tested in this exercise succeeded, and resulted in a systems<br />
compromise<br />
Technical vulnerability details and/or exploit code are publicly available<br />
An additional attack vector may be needed to craft a successful attack using this exploit, but<br />
that vector is trivial<br />
No controls to prevent the exploit are present or controls to prevent the vulnerability from<br />
being exploited are ineffective<br />
Exploitation of the vulnerability (1) may result in the highly costly loss of major tangible<br />
assets or resources or (2) may significantly violate, harm, or impede the organization’s<br />
mission, reputation, or interest.<br />
A strong need for corrective measures exists<br />
Exploitation requires a skilled attacker<br />
Exploitation does not result in elevated privileges<br />
Controls are in place that may impede successful exploitation of the vulnerability<br />
To craft a successful attack using this exploit/vulnerability an additional vector is needed<br />
(such as phishing or social engineering) this additional attack vector might be something<br />
challenging<br />
Exploitation of the vulnerability (1) may result in the costly loss of tangible assets or<br />
resources or (2) may violate, harm, or impede the organization’s mission, reputation, or<br />
interest<br />
Corrective actions are needed and a plan must be developed to incorporate these actions<br />
within a reasonable period of time<br />
Exploitation is extremely difficult<br />
Controls are in place to prevent, or at least significantly impede, the vulnerability from being<br />
exploited<br />
The attack scenario under which this vulnerability can be exploited is possible, but<br />
extremely unlikely<br />
- 13 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Exploitation of the vulnerability (1) may result in the loss of some tangible assets or<br />
resources or (2) may noticeably affect the organization’s mission, reputation, or interest<br />
The system’s accrediting authority must determine whether corrective actions are required<br />
or decide to accept the risk<br />
Informational<br />
Information disclosed may be of interest to an attacker<br />
The Information disclosed will be useful to an attacker should a higher risk issue be found<br />
that allows for a system exploit<br />
Information is disclosed that is necessary to carry out an attack<br />
Table 5 - Risk Rankings<br />
- 14 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
5 Discovered Vulnerabilities<br />
This section provides details regarding vulnerabilities that were identified during testing.<br />
Vulnerability<br />
Risk<br />
Impact<br />
Vulnerable System<br />
SQL Injection<br />
High<br />
SQL Injections allows for attacker to bypass all business logic and gain direct access to<br />
application data. These types of attacks often allow for the unauthorized disclosure of<br />
customer information, privilege escalation, and the corruption of system data.<br />
http://www.digitaltransactions.net/newsstory.cfm<br />
Comments<br />
• SQL Injection is a vulnerability that allows an attacker to insert arbitrary commands into a SQL query or<br />
statement. It is possible when user-supplied input is not properly sanitized before being used in a command sent<br />
to the database server. Most commonly, SQL Injection can allow an attacker to extract data stored in the<br />
targeted database. Under the right circumstances, it can be used to modify data, execute operating system<br />
commands, read and write local files, and even tunnel internal network traffic to the Internet.<br />
• The “newsid” parameter on http://www.digitaltransactions.net/newsstory.cfm is vulnerable to SQL Injection.<br />
When a single quote (') was appended to the query parameter, the resulting error message indicated that SQL<br />
Injection was likely.<br />
• By crafting a specially formatted request, <strong>Trustwave</strong> was able to retrieve the database schema, including table<br />
and column names. An example URL is below (exploit highlighted in yellow):<br />
http://www.digitaltransactions.net/newsstory.cfm?<br />
newsid=182111+union+select+null,TABLE_NAME,column_name,null,null,null%20<br />
from%20information_schema.columns--<br />
• Multiple commands could be submitted by separating them with a semicolon (;). This could allow for<br />
manipulation of database content, although such an attack was not attempted. Extended procedures that can<br />
execute operating system commands (xp_cmdshell and sp_oacreate) were not enabled.<br />
NOTE: This issue was communicated to the client and fixed immediately. Further testing has shown this issue is<br />
now closed.<br />
Example<br />
The screenshot below shows the SQL injection on the digitaltransactions site which displays the tables and column<br />
names from the backend database.<br />
- 15 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Recommendation<br />
• Sanitizing user-supplied input against a white-list of good characters is a recommended best-practice, regardless<br />
of how the input is used. The white-list should always be made as restrictive as possible. For example, with a zip<br />
code parameter, user input should only be accepted if it is comprised entirely of numbers. Validation should be<br />
performed on the application server, since client-side validation is trivial to bypass.<br />
• For ColdFusion applications, all database access should be performed using cfstoredproc or cfqueryparam<br />
elements. These elements will allow the application to securely pass data into prepared SQL statements or<br />
stored procedure parameters, and provide automatic escaping of characters such as single quotes. These<br />
elements can also be used to enforce strong data typing and input length requirements. This provides a robust<br />
defense against SQL Injection attacks since all query input data, regardless of its source, will be properly<br />
escaped and/or validated.<br />
• When building a SQL statement, it is critical to avoid concatenating user-supplied input into a predefined query.<br />
Doing so will negate the benefits of using prepared statements.<br />
- 16 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Related<br />
Information<br />
http://www.us-cert.gov/cas/tips/ST04-015.html<br />
Vulnerability<br />
Risk<br />
Impact<br />
Vulnerable System<br />
Email Denial of Service<br />
Medium<br />
An attacker or competitor could cause a major disruption of online business by flooding<br />
digitaltransactions employee’s email with junk order request and cause legitimate<br />
business to be lost.<br />
http://digitaltransactions.net/datastore/order.htm<br />
Comments<br />
• The order page on the digitaltransactions web site is designed to take customer information for purchasing<br />
reports. This page allows a customer to request specific reports, quote a price, and then submit the order for<br />
review. The completed form is then automatically emailed to a digitaltransactions employee for review and<br />
additional processing, such as collecting billing information.<br />
• Since the system is designed to automatically send emails when a request is submitted, a malicious user could<br />
repeatedly make requests to the order page resulting in an extremely large number of emails.<br />
• An attacker could automate this process which would quickly fill the recipient’s email mailbox and cause a denial<br />
of service. The <strong>Trustwave</strong> team believes a sustained attack against this page would continuously fill the email<br />
box of the digitaltransactions employee responsible for processing orders and cause major business operational<br />
issues.<br />
Example<br />
The following screenshot shows the order page of the application:<br />
- 17 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Clicking on submit<br />
sends an email to<br />
digitaltransactions.net<br />
By simply pressing the submit button, even without filling out any input fields, an email is automatically generated.<br />
Depending on the bandwidth and load of the server, thousands of emails a second could be generated.<br />
Recommendation<br />
• Consider building an administrative orders page that allows a digitaltransaction employee to review submitted<br />
orders online instead of having automatic emails created. When a user submits an order, the information could<br />
be stored in a backend database and later reviewed through a web interface when convenient for a<br />
digitaltransaction employee.<br />
• The orders page could contain a list of all reports and allow a customer to select the appropriate report, rather<br />
than the error prone process of manually typing in the report name.<br />
• Unless price is negotiable, price should be stored in a backend database and associated with a specific report<br />
instead of allowing a user to manually enter in the price.<br />
• Consider redesigning the orders component of the site to utilize shopping cart functionality instead of a manual<br />
transaction process.<br />
- 18 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Related<br />
Information<br />
http://www.us-cert.gov/cas/tips/ST04-015.html<br />
Vulnerability<br />
Risk<br />
Impact<br />
Vulnerable System<br />
Missing Security Patches<br />
Medium<br />
Known vulnerabilities are present in the server that may be actively exploited by<br />
attackers.<br />
http://digitaltransactions.net<br />
Comments<br />
• The Cross-Site Scripting vulnerability in the default error page indicates that ColdFusion security patches have<br />
not been applied to the server. The patch for the Cross-Site Scripting vulnerability was issued February 13,<br />
2007.<br />
• Missing critical security patches indicates a lack of patch management and monitoring as part of ongoing system<br />
maintenance.<br />
Recommendation<br />
• Review and install all recent ColdFusion security patches.<br />
• Register with the Adobe Security Notification system to be informed of the latest updates for ColdFusion.<br />
Related<br />
Information<br />
http://www.adobe.com/support/security/#coldfusion<br />
http://www.adobe.com/support/security/bulletins/apsb07-04.html<br />
http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert<br />
Vulnerability<br />
Risk<br />
Impact<br />
Vulnerable System<br />
Multiple Cross-Site Scripting Vulnerabilities<br />
Medium<br />
Possibility of credential theft, session hijacking, phishing attack, or the control of an end<br />
user’s browser environment using an additional attack vector such as phishing or social<br />
engineering.<br />
http://digitaltransactions.net<br />
Comments<br />
• The application is vulnerable to Cross-Site Scripting attacks. This occurs when web applications do not properly<br />
validate user-supplied inputs before re-using them in dynamic web pages.<br />
- 19 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
• By modifying input parameters, <strong>Trustwave</strong> was able to inject code, including malicious JavaScript in the<br />
application.<br />
• Exploiting this issue allows an attacker to supply arbitrary client-side code (JavaScript, VBScript, etc.) within<br />
application input parameters that will ultimately be rendered and executed within the end user’s web browser.<br />
• This type of attack may be used to steal information such as usernames and passwords, sensitive information,<br />
remotely control or monitor the users browser, or impersonate a web page used to gather order information,<br />
including credit card numbers.<br />
• For example, an attacker could use this vulnerability by sending a customer or employee a URL with malicious<br />
code, which may be more likely to be executed or run at a different security level because it is from a “trusted”<br />
site.<br />
Detailed Examples<br />
One example of Cross-Site Scripting was found in the clickthru page of the site (attack string highlighted and bold):<br />
http://www.digitaltransactions.net/clickthru.cfm?<br />
adid=%3Cscript%3Ealert(%27xss%27)%3C/script%3E<br />
By injecting this previous JavaScript into the “adid” parameter, the script gets executed in the users browser running<br />
in the context of digitaltransactions.net, causing a simple proof of concept alertbox to be displayed:<br />
The URLs listed below were found to be vulnerable to Cross-Site Scripting attacks:<br />
GET http://digitaltransactions.net/newsstory.cfm?newsid=<br />
"/>alert(document.cookie)<br />
GET http://digitaltransactions.net/clickthru.cfm?adid="<br />
/>alert(document.cookie)<br />
GET http://digitaltransactions.net/newsstory.cfm?newsID=<br />
"/>alert(document.cookie)<br />
- 20 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
POST http://digitaltransactions.net/searchcollaction.cfm<br />
(collection="/>alert(document.cookie)<br />
&searchstring=trustwave&search1=Search)<br />
POST http://digitaltransactions.net/searchcollaction.cfm (collection=digitrans&searchstring="/><br />
&search1=Search)<br />
POST http://digitaltransactions.net/searchdbaction.cfm<br />
(searchstring=">alert(document.cookie))<br />
NOTE: In most cases, these Cross-Site Scripting payloads appear to be executed on the default error handler,<br />
although it’s difficult to determine without having access to the source code.<br />
Recommendation<br />
• Before using any user-supplied data, validate its format and reject any characters that are not explicitly allowed<br />
(i.e. a white-list). This list should be as restrictive as possible.<br />
• While not able to stop all attacks, a significant number of issues can be prevented by configuring turning on the<br />
“Enable Global Script Protection” setting in the ColdFusion MX Administrator or setting the following tag in the<br />
<strong>Application</strong>.cfm:<br />
<br />
• Mark cookies as “Secure” and “HTTP-Only” where appropriate to minimize the impact of Cross-Site Scripting<br />
attacks.<br />
• Before using any data (stored or user-supplied) to generate web page content, escape all non alpha-numeric<br />
characters (i.e. output-validation). This is particularly important when the original source of data is beyond the<br />
control of the application. Even if the source of the data isn’t performing input-validation, output-validation will<br />
still prevent XSS. As demonstrated in the following table, this can be done by converting characters to “&#nn;”<br />
(ignore the quotes), where “nn” is the hexadecimal ASCII character number.<br />
Character Encoding Character Encoding<br />
< < or < ) )<br />
> > or > # #<br />
& & or & % %<br />
" " or " ; ;<br />
' ' + +<br />
- 21 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
( ( - -<br />
Related<br />
Information<br />
http://www.owasp.org/index.php/Cross-site_scripting<br />
http://www.cftagstore.com/tags/trimvars.cfm<br />
http://ha.ckers.org/blog/category/webappsec/xss/<br />
http://www.technicalinfo.net/papers/CSS.html<br />
http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt<br />
Vulnerability<br />
Risk<br />
Impact<br />
Vulnerable System<br />
FTP Enabled<br />
Low<br />
An attacker may be able to intercept unencrypted traffic to the FTP server and steal user<br />
credentials, gain unauthorized access to the system, and potentially access<br />
digitaltransaction products such as PDF reports.<br />
ftp.digitaltransactions.net<br />
Comments<br />
• FTP transmits usernames and passwords, as well as data, in clear text and can be intercepted by anyone<br />
between the server and users.<br />
Example<br />
The following screenshot shows the FTP server listening on digitaltransactions.net port 21. The FTP banner identifies<br />
the server as Microsoft FTP:<br />
Recommendation<br />
• Replace FTP with a more secure file transfer mechanism such as SCP or SFTP, or an https protected file upload<br />
page that requires authentication on the web application.<br />
- 22 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Related<br />
Information<br />
http://en.wikipedia.org/wiki/FTP_server#Security_problems<br />
Vulnerability<br />
Risk<br />
Impact<br />
Vulnerable System<br />
Missing Custom Error Page<br />
Low<br />
Errors often reveal the internal workings of an application, disclose sensitive information,<br />
and can be used to aid additional attacks against a site.<br />
http://digitaltransactions.net<br />
Comments<br />
• Exceptions and errors were encountered when attempting to insert non-integer characters into a SQL integer<br />
type field or when incorrect parameters were supplied to verity searches.<br />
• Error messages that contain useful information can aid an unauthorized user in performing more elaborate<br />
attacks. For example, a information may reveal internal application logic such as SQL queries or display<br />
software version information that can be used as targeting information in subsequent exploitation.<br />
• <strong>Application</strong> errors are also an indication that proper server hardening guidelines have not been followed and may<br />
lead to the presence of additional security problems.<br />
Example<br />
The following screenshot shows a ColdFusion error message being displayed to users.<br />
- 23 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
The following URLs produced similar ColdFusion exceptions (malicious input highlighted):<br />
GET http://digitaltransactions.net/index.cfm?pageid=%27<br />
POST /searchcollaction.cfm<br />
(collection=digitrans&searchstring=%27&search1=Search)<br />
POST /searchcollaction.cfm<br />
(collection='&searchstring=trustwave&search1=Search)<br />
GET /clickthru.cfm?adid='<br />
GET http://www.digitaltransactions.net/newsstory.cfm?newsID=%27<br />
POST http://www.digitaltransactions.net/searchdbaction.cfm<br />
(searchstring=%3E)<br />
Recommendation<br />
• At the template level, ensure all code that may cause an error or exception condition is properly wrapped in a<br />
cftry and cfcatch blocks.<br />
• At the application level, define custom templates for error conditions with the tag in the<br />
<strong>Application</strong>.cfm file.<br />
• Site-Wide error handling pages and Missing Template Handlers can be configured through the ColdFusion<br />
Administrator Server Settings page. In addition, the cferror tag can be used to specify ColdFusion pages to<br />
handle specific types of errors.<br />
• Consider logging error messages using the cflog tag.<br />
Related<br />
Information<br />
http://livedocs.adobe.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/<br />
common/html/wwhelp.htm?context=ColdFusion_Documentation&<br />
file=00001138.htm<br />
- 24 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
- 25 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY<br />
<strong>Trustwave</strong><br />
6 Conclusion<br />
<strong>Application</strong> <strong>Penetration</strong> <strong>Test</strong><br />
Based on the results of this penetration test, <strong>Trustwave</strong> feels that Boland Hills is should take<br />
additional measures to mitigate risk of compromise of the tested application. There are some<br />
best-practices issues that were not being fully addressed, such as input validation (in the case<br />
of Cross-Site Scripting and SQL Injection), denial of service (email order system) and<br />
maintaining current security patches. These issues could lead to a compromise or the disruption<br />
of operations by a determined attacker. Boland Hills responded immediately to the most serious<br />
vulnerability of the issues documented in this report, SQL Injection, and after appropriate<br />
analysis and discussion with the <strong>Trustwave</strong> team has closed the issue.<br />
New vulnerabilities are discovered on a daily basis; keeping that in mind, Boland Hills should<br />
continue their current program of regular vulnerability scanning and security testing.<br />
- 26 -<br />
Copyright © 2008 <strong>Trustwave</strong>. All Rights Reserved.<br />
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY